- Posted In
- Other
- Tags
- containers
- fips
Posted on
Making Node.js v16 FIPS compliant is hard unless you are willing to develop your own OpenSSL 1.1.1 build and go through the FIPS validation process. It looks like RedHat has done it, see link.
If you run the UBI image with Node.js, it looks like it is using a FIPS-compliant Nodejs stack (i.e. a Node JS compiled using a the FIPS version of OpenSSL, and doing all crypto ops using FIPS-validated modules).
> docker run -it registry.access.redhat.com/ubi8/nodejs-16-minimal /bin/bashbash-4.4$ openssl versionOpenSSL 1.1.1k FIPS 25 Mar 2021bash-4.4$ node -p 'crypto.getFips()'0bash-4.4$ node -p 'crypto.createHash("md5")'Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false }}bash-4.4$ node --force-fips -p 'crypto.getFips()'1bash-4.4$ node --force-fips -p 'crypto.createHash("md5")'node:internal/crypto/hash:67 this[kHandle] = new _Hash(algorithm, xofLen); ^Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS at new Hash (node:internal/crypto/hash:67:19) at Object.createHash (node:crypto:130:10) at [eval]:1:8 at Script.runInThisContext (node:vm:129:12) at Object.runInThisContext (node:vm:305:38) at node:internal/process/execution:75:19 at [eval]-wrapper:6:22 at evalScript (node:internal/process/execution:74:60) at node:internal/main/eval_string:27:3 { library: 'digital envelope routines', function: 'EVP_DigestInit_ex', reason: 'disabled for FIPS', code: 'ERR_OSSL_EVP_DISABLED_FOR_FIPS'}bash-4.4$ node -e "console.log(process.versions)" | grep openssl openssl: '1.1.1k',
As per the license agreement, my understanding is that UBI images can be freely used in a commercial environment. Therefore, nodejs-16-minimal
looks like a very simple (and free?) way to have a FIPS-compliant Nodejs service. Of course, the container image should run on top of FIPS-validated infrastructure (e.q. a host operating system with FIPS mode enabled).